[Snort-users] Performance again

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue Dec 23 07:56:02 EST 2003


The first question is anyway, what is actually ment by the statistics?
It would be interessting to know, in which stages of the process a
packet drop may occur and what is ment by the output/perfmon:

1. During the capture (and copy from the kernel to the user space)
2. During the preprocessing/reassembling/decoding
3. During the pattern matching/alerting
4. During the output
5. Other?

AFAIK the statistics is only telling to us, what the libpcap told
Snort (1.)? So how would more frequent perfmon output provide more
information? So I have to take a look at the complete situation in order
to guess(!), which task took so long, that Snort had to give it up and
begin processing the new input.


Brian schrieb:

[Invalid method]
> Your method for coming to your conclusion is invalid.  You can not
> ignore what happens before snort drops packets, as that is probably
> what is causing the drop.  If you need finer grained information, set
> perfmonitor to dump its data more frequently.
> Brian

Edin Dizdarevic

More information about the Snort-users mailing list